Obnoxious Clients

Operation Gumblar Annihilation

Disclaimer: These orders were established by the Commander (Me) based on her own experience fighting the Gumblar Virus on Wordpress, MediaWiki, and ZenCart installations. She does not claim to be a professional virus fighter. She doesn’t even claim to know that much about computers and the internet (despite the fact that she is a web designer/developer by trade). She cannot guarantee that the plan of attack will work on all Gumblar infected platforms (though she can’t imagine why it wouldn’t). All she knows is that after 3 weeks of battle, the orders below (which pull from a number of Gumblar-related resources) are what finally worked.

Note to Solider (AKA the reader): This OPORD was written with the assumption that you run a WordPress site. However, as mentioned above, it has been successfully applied to MediaWiki and ZenCart installations as well. So when you see “WordPress” in the instructions below, swap it with the name of the platform you are using.

—————————————————————————————————————–

U.S. WWW COMMAND – OPORD 666
GUMBLAR ANNIHILATION OPERATIONS ORDER

Situation
We are under attack. A large number of websites show recognizable signs of Gumblar infestation. Even those with no recognizable indicators seem to be having issues. Previously proven “Gumblar Killers” are no longer effective. All assassination attempts have failed.

Enemy
Goes by the name Gumblar. First sited in May 2009 when it viciously attacked over 100,000 website. A valiant battle was fought and Gumblar retreated. While in hiding, it strengthened it defenses. In early November 2009, security experts started receiving reports of “suspicious activity” in the land of Gumblar. A few days later, Gumblar made it’s official resurgence, with a rapidly deployed stealth attack on a variety of traffic-heavy websites. Due to the clandestine nature of the attack, Gumblar was able to infiltrate hundreds of thousands of websites before the internet was even aware of initial assault. With it’s clever ability to replicate and spread within seconds of insertion, as well as the ability to disguise itself as regular code, Gumblar has proven to be worthy adversary. Unfortunately, due to it’s resilient nature, it’s been incredibly hard to counteract it’s advances.

Environment
On a global level, one could consider the entire world wide web (and the subsequent machinery attached to it) as the environment. However, on a local level, one can constrain the environment to only encompass the following terrain…

1. Web Hosting provider
2. Personal network connections
3. Personal machinery (and the subsequent programs they utilize)
4. The WordPress platform

Environmental considerations to take into account include (but are not limited to)…

1. Ability to secure personal machinery (i.e. cleanse it of all current problematic behavior)
2. Ability to protect personal machinery against further attacks (via anti-virus software, firewall settings, browser security, etc.)
3. Hosting provider vulnerabilities
4. Program vulnerabilities
5. Browser vulnerabilities
6. WordPress vulnerabilities

Mission
Two words: Kill Gumblar

Execution

1. Determine whether local machine infection exists, i.e. is my computer fucked up (Addendum 1)
2. If local machine infection exists…eradicate local infection (Addendum 2)
3. Upon confirmation that the local machine infection has in fact been annihilated, enact countermeasure to prevent future machine attacks (Addendum 3)
4. After which, you must immediately destroy all local website settings (i.e. delete FTP info within all applicable software)
5. Once destruction of local website settings settings has been confirmed, all website associated log-ins (both usernames and passwords) must be reset. These include (but are not limited to)…
   1. Hosting provider login
   2. FTP login
   3. Database login
   4. Wordpress login
6. Upon completion of all reset-related activity, you must connect to the infected website (with newly created FTP credentials) and download it (in it’s entirety) to your local machine
7. Once all files have been downloaded, you must destroy all records of the files on the server
8. And then, you must thoroughly cleanse all website-related files (Addendum 4)
9. Following the consummation of cleansing-related activity, you must once again test your local machines for possible (new) infections
10. If (new) local infection exists…eradicate local infection
11. In accordance with receipt of (machine) clean bill of health, you must once again reset all website associated log-ins
12. Upon (your now second) completion of all reset-related activity, you must upload the newly cleansed files to the server
13. Once uploaded, you must enact countermeasure to prevent future website attacks (Addendum 5)

Service Support
You have a variety of tools at your disposal, including (but not limited to)…

1. Anti-virus software (to uncover and quarantine infected files)
2. Firewall software (to prevent widespread attack on local machinery)
3. Malware destroying software (to annihilate traces of infection)
4. Registry editing software (to further annihilate traces of infection)
5. System cleansing software (to really and truly once and for all annihilate absolutely all traces of infection)
6. WordPress security plugins (to prevent future attacks upon websites)

Command and Signal
The command to initiate execution of “Gumblar Annihilation” will be “IT’S TIME TO GET YOUR KILL ON”.

The signal will be the commencement of activity required to determine existence of machine infestation (Addendum 1).

—————————————————————————————————————–

WARNING TO SOLDIER

There are a bunch of websites out there that claim to offer specific Gumblar Removal Tools.  99% of these sites are not legit and are distributors of malicious content (i.e. your computer will be FUBAR). I strongly suggest you install the Web of Trust add-on (available for Firefox, IE, and Chrome) before you resume browsing.

—————————————————————————————————————–

ADDENDUM 1

Instructions for Determining whether or not your Machine has been Infected

1. Download and install avast! (the only free anti-virus software which can detect the presence of Gumblar…most of the time)
2. Using avast!, run a complete scan of your computer (which will probably take many many hours)
3. After the avast! scan has completed, go ahead and download and install Malwarebytes’ Anti-Malware program
4. Using MalwareBytes, run a complete scan of your computer (won’t take quite as long as avast)
5. If avast! and Malwarebyes both say you’re good, assume your machine has not been infected

—————————————————————————————————————–

ADDENDUM 2

Instructions for Complete Erradication of Machine Infestation

1. If avast! detected the presence of Gumblar in a file, it moved said file to quarantine
2. Go to the avast! quarantine and make a note of the exact name and location of the files
3. Then, select the option to delete the quarantined files
4. If Malwarebytes uncovered (further) infected files, it too quarantined the files
5. Go to the Malwarebytes quarantine and make a note of the exact name and location of the files
6. Then, select the option to delete the quarantined files
7. Download and install HijackThis
8. Open HiJackThis, choose “misc tools” and then choose “delete file on reboot” for each of the files uncovered by both the avast! AND Malwarebytes scanners (whose names and locations you should know from Steps 2 & 5)
9. Run regedit (Microsoft registry editor that comes with your machine) and delete the registry entries for the files uncovered by both scanners
10. Download and install CCleaner
11. Use CCleaner to remove all temporary files as well as clean your registry
12. Delete all FTP details from all applications (don’t change the passwords yet, just delete them)
13. Disable “Windows Restore” and ensure all previous “Restore Points” have been trashed (should be automatic)
14. Reboot your computer
15. Scan your entire computer again (using avast!)
16. Scan your entire computer again (using Malwarebytes)
17. Voila you (hopefully) now have a clean machine

—————————————————————————————————————–
ADDENDUM 3

Instructions for Enacting Countermeasures to Protect Machine Against Future Attacks

1. Make sure all of your software is completely up-to-date. This includes…
   1. Windows
   2. FTP applications
   3. Anti-Virus programs
   4. Firewall programs
   5. Your web browser of choice
   6. Adobe Acrobat/Reader (probably installed at some point by a website without your knowledge)
   7. Adobe Flash Player (also probably installed at some point by a website without your knowledge)
2. If you haven’t already done so, enable “automatic updates” for Windows
3. If you haven’t already done so, set avast (or your chosen anti-virus software) security to “high”
4. Disable Adobe JavaScript using the following (Adobe Recommended) procedure
   1. Launch Acrobat or Adobe Reader
   2. Select Edit>Preferences
   3. Select the JavaScript Category
   4. Uncheck the “Enable Acrobat JavaScript” option
   5. Click Ok
5. Change all website related usernames and passwords. These include (but are not limited to)…
   1. Hosting Provider login
   2. FTP login
   3. Database login
   4. Wordpress login
6. Go to your web browser of choice and install the Web of Trust extension (available for Firefox, IE, and Chrome)
   
7. If using Firefox… also install the NoScript extension
8. Consider using secure protocols (SFTP or FTPS) instead of FTP in the future

—————————————————————————————————————–

ADDENDUM 4

Instructions for Cleansing Website-Related Files
Based on the assumption that the website is WordPress based

1. Download the entire website to local machine (every.single.file)
2. Backup your database (just in case)
3. Export your WordPress content via Tools > Export (just in case)
4. Delete the files on the server (every.single.file)
5. Delete the FTP credentials from all FTP programs on your computer (don’t worry about changing the password yet)
6. Do a scan of the website files using avast!
7. And then, do a scan of the website files using Malwarebytes
8. If either of these scans uncover files that need to be quarantined, make a note of the file names as they are probably infected with more than just Gumblar. [Side Note: I say this because in my experience, while avast! and Malwarebytes might be good at detecting the virus in your computers actual "system files", they FAIL HARDCORE at finding it in website files. Maybe there is a difference between how it infects a computer and how it infects a website? No clue. All I can say is that when I use any one of the MANY anti-virus programs (installed on my computer) to scan the website files, they all say that everything is a-ok. When I can CLEARLY see that everything is not a-ok. In fact all you have to do is upload one file (I suggest picking any javascript or index file) from the problem website, to http://www.virustotal.com/ and it will tell you that the file is NOT F-----G OK. Therefore if avast! or Malwarebytes do actually detect an infected file,  it's probably got something besides Gumblar.]
9. Once the scans are done, open up your code editor of choice (I use Dreamweaver)
10. Use Find/Replace to search the source code of the entire website’s folder for the following lines of code (each bullet point represents a different search)…
    1. <script> try{window.onload=function()
    2. <script>try{window.onload=function()
    3. try{window.onload=function(){document.write(
    4. <div id=megaid> (it’s likely that the previous search will have already taken care of this one, but you can’t be too careful)
11. After each search you need to…
    1. Open up one of the resulting files and find the location of the line of code you searched for
    2. Copy the entire chunk of funky code — #1 and #2 start with the code and end with a bunch of grayed out numbers. #3 starts with the code and ends with {}
    3. Paste the entire chunk of funky code into the Find section of Find/Replace, and leave the Replace section blank
    4. Click Replace All
    5. Click “yes” to the warning that pops up
12. Now, go ahead and change the FTP password
13. Upload the files
14. You should be good to go

Note: If after you upload the files, you start getting errors (referencing a particular file) when viewing the site online, go to the file in question and make sure that there are NO EXTRA lines or spaces before the first <?php and after the final ?>….WordPress hates extra lines and spaces.

—————————————————————————————————————–

ADDENDUM 5

Instructions for Enacting Countermeasures to Protect WordPress Site Against Future Attacks By Any and All Enemy Forces
Basic tips for securing a WordPress site, compiled from a number of resources including the WordPress Codex. However this list is by no means exhaustive, as there are a million different ways to secure a WordPress site.

1. If you have not already done so, change all website-associated usernames and passwords (hosting, ftp, database, WordPress, blah blah blah)
2. Make sure the usernames and passwords are not easy to guess (i.e. usernames cannot be “admin” and passwords can not be “password” or “qwerty” or any variations of such)
3. Make sure you are running the latest versions of both WordPress AND all applicable plugins (this is INCREDIBLY important)
4. Lock down your file permissions with the following permission scheme
   1. / – (the root Wordpress directory) — all files should be writable only by your user account EXCEPT .htaccess which should be writable by all
   2. /wp-admin/ — all files should be writable only by your user account.
   3. /wp-includes/ — all files should be writable only by your user account.
   4. /wp-images/ — all files should be writable only by your user account.
   5. /wp-content/ — all files should be writable by all (owner/user, group, and public).
   6. /wp-content/themes/ — If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
   7. /wp-content/plugins/ — all files should be writable only by your user account.
   8. Other directories under /wp-content/ should be documented by whatever the plugin / theme requires. Permissions may vary.
5. Secure your admin section by installing the AskApache Password Protection plugin (warning: if for some reason the plugin locks you out of your site, follow the instructions located here to uninstall the plugin)
6. Edit your wp-config.php and change or create the SECRET_KEY definition.
7. Move your wp-config.php file to the directory above the WordPress install (if installed at the root level, you can store wp-config.php outside the web-root folder)
8. Install the following Security Plugins and follow instructions for each…
   1. Admin-SSL
   2. WP Security Scan
   3. WP Exploit Scanner
   4. WordPress Firewall
   5. WordPress AntiVirus
9. If you are the only registered user for your site, go to your WordPress General Settings and turn off the “Anyone can Register” option
10. Obscure your website with the following steps…
    1. Rename the administrative account:
       1. On a new install you can simply create a new Administrative account and delete the default admin account.
       2. On an existing install you may rename the existing account in the MySQL command-line client with a command like update tableprefix_users set user_login=’newuser’ where user_login=’admin’; or by using a MySQL frontend like phpMyAdmin.
    2. Change the table_prefix: Plugins that do this include WP Prefix Table Changer and WordPress Table Rename.
    3. Hide which version of WordPress you are running: Plugins that do this include Secure WordPress and WP-Secure Remove WordPress Version
11. Make sure you backup your site on a REGULAR basis. This includes…
    1. Backing up the actual website files
    2. Backing up the database, either manually or using a plugin such as WP-DBMangager (a wonderful plugin which lets you do a whole bunch of database related stuff all from the safety of your WordPress admin section)
    3. Exporting your WordPress content (via Tools>Export)

—————————————————————————————————————–

REFERENCES

Specifically Gumblar Related

1. Unmask Parasites Blog
   1. Gumblar .cn Exploit – 12 Facts About This Injected Script
   2. Gumblar Breaks WordPress blogs and other complex PHP sites
   3. Revenge of Gumblar Zombies
2. Gumblar – virus Threat to the Internet – How to Remove
3. Removal and Prevention of Gumblar.cn Infections
4. Automatic removal of Gumblar/Martuz trojan (note: I have not tried his program since it was created for an older version of Gumblar, however it might still work)
5. BadwareBusters.org
6. Another Round of Beladen? Or, The New “Go” Infection
7. Tips for Cleaning & Securing Your Website
8. VirusList.com
   

Specifically WordPress Related

1. WordPress Security Whitepaper (I highly recommend you read this)
2. How to find a backdoor in a hacked WordPress
3. Check your website for virus attack
4. WordPress Security How To
5. Hardening WordPress
6. Did your WordPress site get hacked?
7. Wordpress Security Tips and Hacks
8. Security and Hacking: Protect Thyself and Thy WordPress Blog
9. 20 Wordpress Security Plug-ins &  Tips

—————————————————————————————————————–

USEFUL TOOLS (AKA ESSENTIAL BOOKMARKS)

1. Virus Total (Analysis) the only online tool I have found that detects Gumblar 100% of the time
2. Unmask Parasites (beta) last time I tried it, it wasn’t detecting Gumblar, but it’s a work-in-progress and can detect other things
   

—————————————————————————————————————–

THE END

This OPORD has been signed off on by Commander Anonymous Admin (from the Unit “Obnoxious Clients”)